- A Pennsylvania-based healthcare facility has fallen victim to a possible EHR data breach after unauthorized users hacked into its EHR system, which was managed by Bizmatics.
Approximately 19,776 individuals were affected by the security incident at Integrated Health Solutions PC, reported the Office of Civil Rights (OCR) on its website.
In a statement on MyPublicNotices.com, the healthcare organization explained that Bizmatics, its EHR vendor, had discovered that an outside entity accessed its systems, which caused some patient files to be exposed. Patients may have had their names, addresses, Social Security numbers, and healthcare visit information disclosed by the possible data breach.
Bizmatics could not confirm if patient records from Integrated Health Solutions PC were accessed during the hacking incident, but the facility has taken measures to strengthen healthcare data security policies.
“Integrated Health Solutions, values your privacy and deeply regrets that this incident occurred and is working closely with its advisors and Bizmatics to ensure the incident is properly addressed, including, a review of our data security measures in order to help prevent a recurrence of such an attack,” reported the statement. “We have also contacted relevant state and federal authorities regarding this issue.”
Earlier this year, Bizmatics had informed several other organizations of potential healthcare data breaches that left EHR files exposed to outside entities.
In one case, Florida-based Southeast Eye Institute, PA, notified 87,314 individuals that their patient records were involved in a hacking incident that took place at Bizmatics, its former EHR and practice management vendor. Bizmatics informed the practice of the incident on March 30, but unauthorized users may have accessed the files starting in January 2015.
The EHR vendor was also involved in a recent healthcare data security incident that involved 19,937 patients at the Pain Treatments Center of America and Interventional Surgery Institute in Arkansas. Similarly, the healthcare facilities reported a potential PHI breach after Bizmatics notified them that data servers containing EHR files were accessed by an outside party in 2015.
Bizmatics has not confirmed if the potential healthcare data breaches were affected by the same hacking incident.
EHR vendor informs healthcare center of possible healthcare data breach
Another healthcare organization has notified patients of a potential healthcare data breach resulting from a hacking incident at Bizmatics.
Vincent Vein Center, a Colorado-based phlebology office, has recently announced that some of its EHR files may have been exposed after an outside entity gained access to the PrognoCIS system, a practice management and EHR system serviced by Bizmatics.
About 2,250 individuals were affected by the healthcare data security event, according to the OCR data breach tool.
The PrognoCIS system had stored and organized complete patient files, reported the healthcare organization. Therefore, patient data that may have been accessed included names, addresses, health insurance information, health visit and treatment information, and other identifying data, such as Social Security numbers.
In a letter, the EHR vendor explained that there has been no indication that Vincent Vein Center’s files were accessed or obtained by the outside party. There was also no evidence that patient information was posted online or publicly shared, noted Bizmatics.
The vendor has collaborated with a cybersecurity firm to investigate the incident and discovered that cybercriminals had installed malware on its systems to capture user credentials, reported the letter.
Nevertheless, the practice has contacted affected individuals about the possible healthcare data breach, established a toll-free number to answer any questions about the incident, and included identity theft protection resources for patients.
In response, Vincent Vein Center has attempted to prevent future healthcare data breaches. It also stated that it is “examining Bizmatics’ practices and determining whether a continued relationship with Bizmatics is appropriate.”
Patient information exposed by abandoned healthcare report
A forgotten report has caused a potential healthcare data breach at the Kern County Mental Health Administration in California.
According to a notification letter on its website, the mental health department had accidently left behind a report containing some patient information after it vacated a section of its building that was under construction.
When the report was discovered, department officials noted that all of the pages were present in the correct order and there was no evidence that anyone had viewed the information. However, it was found in an area that was unattended by department staff and several contractors had been working in the vicinity.
The report included first and last names, internal medical record numbers, internal service codes, and the units where services were provided. Kern County Mental Health Department also confirmed that no treatment or financial information, such as Social Security numbers, driver’s license numbers, or financial account numbers, were involved in the healthcare data security incident.
Only patients who had received care in September 2006 may have had their information exposed by the event, reported the letter. However, the department did not disclose how many patients were potentially involved.
Kern County Mental Health Department has worked to notify all affected individuals and it has included resources on identity protection and healthcare data breaches.
“We regret that this incident occurred and want to assure you that we are reviewing and revising our procedures and practices to minimize the risk of recurrence,” stated the letter.